Ubuntu
openssl package

x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs

Bug #1926254 reported by Matthew Ruffell
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Medium
Matthew Ruffell
Groovy
Fix Released
Medium
Matthew Ruffell
Hirsute
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

In openssl 1.1.1f, the below commit was merged:

commit ba4356ae4002a04e28642da60c551877eea804f7
Author: Bernd Edlinger <email address hidden>
Date: Sat Jan 4 15:54:53 2020 +0100
Subject: Fix error handling in x509v3_cache_extensions and related functions
Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7

This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA.

Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint.

The error you see when you try verify is:

$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed

The exact same certificates work fine on Xenial, Bionic and Hirsute.

[1] https://tools.ietf.org/html/rfc5280.html

[Testcase]

We will create our own root CA, intermediate CA and leaf server certificate.

Create necessary directories:

$ mkdir reproducer
$ cd reproducer
$ mkdir CA

Write openssl configuration files to disk for each CA and cert:

$ cat << EOF >> rootCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert

[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Root-CA

[ usr_cert ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF

$ cat << EOF >> subCA.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert

[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test RSA PSS Sub-CA

[ usr_cert ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF

$ cat << EOF >> user.cnf
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = usr_cert

[ req_distinguished_name ]
C = DE
O = Test Org
CN = Test User

[ usr_cert ]
basicConstraints = critical,CA:FALSE,pathlen:0
keyUsage = critical,digitalSignature,keyAgreement
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF

Then generate the necessary RSA keys and form certificates:

$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1

$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ c_rehash CA

$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
$ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1

Now, let's try verify the generated certificates:

$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1_cert.pem: verification failed

There are test packages available in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf308725-test

If you install these test packages, and attempt to verify, things work as planned.

$ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
user1_cert.pem: OK

[Where problems could occur]

If a regression were to occur, it would occur around x509 certificate parsing and validation. It may cause certificates which had previously passed to fail, or certificates which failed to pass. It could potentially cause all certificates to fail or pass.

Since this is the openssl package and the package is security-critical, this will need a lot of validation, testing, and likely a review by the security team.

One of the commits which fixes the issue adds two testcases to the openssl testsuite, which tests the "CA:FALSE, pathlen:0" certificates with and without -x509_strict, and tests to see if it passes without, and fails with.

[Other info]

This was reported in the upstream issue #11456 [2]:

[2] https://github.com/openssl/openssl/issues/11456

I believe these three commits fix the issue:

commit 00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91
Author: Tomas Mraz <email address hidden>
Date: Thu Apr 2 15:56:12 2020 +0200
Subject: Allow certificates with Basic Constraints CA:false, pathlen:0
Link: https://github.com/openssl/openssl/commit/00a0da2f021e6a0bc9519a6a9e5be66d45e6fc91

commit 29e94f285f7f05b1aec6fa275e320bc5fa37ab1e
Author: Tomas Mraz <email address hidden>
Date: Thu Apr 2 17:31:21 2020 +0200
Subject: Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
Link: https://github.com/openssl/openssl/commit/29e94f285f7f05b1aec6fa275e320bc5fa37ab1e

commit e78f2a8f269a4dcf820ca994e2b89b77972d79e1
Author: Tomas Mraz <email address hidden>
Date: Fri Apr 3 10:24:40 2020 +0200
Subject: Add test cases for the non CA certificate with pathlen:0
Link: https://github.com/openssl/openssl/commit/e78f2a8f269a4dcf820ca994e2b89b77972d79e1

These landed in openssl 1.1.1g, and hirsute already has these fixes.

See original description
Matthew Ruffell (mruffell)
Changed in openssl (Ubuntu):
status: New → Fix Released
Changed in openssl (Ubuntu Hirsute):
status: New → Fix Released
Changed in openssl (Ubuntu Focal):
status: New → In Progress
Changed in openssl (Ubuntu Groovy):
status: New → In Progress
Changed in openssl (Ubuntu Focal):
importance: Undecided → Medium
Changed in openssl (Ubuntu Groovy):
importance: Undecided → Medium
Changed in openssl (Ubuntu Focal):
assignee: nobody → Matthew Ruffell (mruffell)
Changed in openssl (Ubuntu Groovy):
assignee: nobody → Matthew Ruffell (mruffell)
tags: added: focal groovy sts
description: updated
Matthew Ruffell (mruffell)
description: updated
Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a debdiff for openssl on Focal which fixes this bug.

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Attached is a debdiff for openssl on Groovy which fixes this bug.

Matthew Ruffell (mruffell)
tags: added: sts-sponsor
Revision history for this message
Dan Streetman (ddstreet) wrote :

added ubuntu-security to the bug, just for quick review to make sure they don't object to the patch

I can sponsor this to -updates if there's no objection

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Dan and Matthew, thanks for working on this. I gave the debdiffs a look, skimmed through openssl changes, and don't see any reason to not do this. There *are* larger changes to that function in https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e -- but it's a fairly invasive change, and I'm not recommending or suggesting we take it instead. It'd be nice though if someone could double-check the certs in question against a build that uses this newer commit and make sure that we're not backporting a very short-lived functional change.

Thanks

Revision history for this message
Matthew Ruffell (mruffell) wrote :

Hi Seth,

Thanks for the review.

I read the commit you found:

commit 1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e
Author: Dr. David von Oheimb <email address hidden>
Date: Sat Jun 27 16:16:12 2020 +0200
Subject: Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
Link: https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e

Firstly, yes, you are right, this commit does refactor the code I am suggesting we SRU to focal and groovy, but upon further inspection, this commit was not backported to the 1.1.1 stable series, as it is missing from the OpenSSL_1_1_1-stable branch. As you mentioned, it is a fairly invasive change and modifies a lot of different x509 components, it isn't suitable to be backported to 1.1.1 stable anyway, and much less be acceptable for SRU to focal or groovy.

I think we should stick to the small targeted commits I suggested for this SRU, since they are a part of 1.1.1 stable, and are already in hirsute onward.

To test that the logic from the suggested commits to SRU matches this new refactor commit from version 3.0alpha, I went and built the master branch of openssl, which had commit d1a770414acd34c774248ce8efbe202fd7a44041 at HEAD.

$ env LD_LIBRARY_PATH="/home/ubuntu/openssl/" ../openssl/apps/openssl version
OpenSSL 3.0.0-alpha16-dev (Library: OpenSSL 3.0.0-alpha16-dev )

$ env LD_LIBRARY_PATH="/home/ubuntu/openssl/" ../openssl/apps/openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem
user1_cert.pem: OK

The logic matches and the reproducer certificates verify OK. This confirms we aren't backporting a short lived change, and that this behaviour is the desired and accepted outcome.

@ddstreet Please go ahead and sponsor the SRU to -updates, thanks.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Matthew, thanks so much! sounds good to me.

Revision history for this message
Dan Streetman (ddstreet) wrote :

uploaded to f/g, thanks!

Revision history for this message
Robie Basak (racb) wrote :

I very much appreciate the security review by Seth here. When I first started reading this bug I was going to insist on having a security review, but then I saw you've already taken care to arrange that. Thank you!

Changed in openssl (Ubuntu Groovy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-groovy
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Matthew, or anyone else affected,

Accepted openssl into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu4.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openssl (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Hello Matthew, or anyone else affected,

Accepted openssl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssl/1.1.1f-1ubuntu2.4)

All autopkgtests for the newly accepted openssl (1.1.1f-1ubuntu2.4) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

casync/2+20190213-1 (s390x)
uftp/4.10.1-1 (amd64)
galera-3/unknown (amd64)
puma/3.12.4-1ubuntu2 (s390x, arm64)
m2crypto/0.31.0-9ubuntu1 (amd64)
apache2/2.4.41-4ubuntu3.1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (openssl/1.1.1f-1ubuntu4.4)

All autopkgtests for the newly accepted openssl (1.1.1f-1ubuntu4.4) for groovy have finished running.
The following regressions have been reported in tests triggered by the package:

libcrypt-ssleay-perl/0.73.06-1build3 (arm64)
resource-agents/1:4.6.1-1ubuntu2 (s390x)
puma/3.12.4-1ubuntu2 (arm64)
uftp/4.10.2-1 (amd64)
python3.8/3.8.6-1ubuntu0.2 (arm64)
ecflow/5.5.1-1 (s390x)
python3.9/3.9.0-5 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/groovy/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Matthew Ruffell (mruffell) wrote :
Download full text (5.2 KiB)

Performing verification for Focal

Generating the ssl certificates, and reproducing the problem with version
1.1.1f-1ubuntu2.3 from -updates.

ubuntu@select-lobster:~$ sudo apt-cache policy openssl | grep Installed
  Installed: 1.1.1f-1ubuntu2.3
ubuntu@select-lobster:~$ mkdir reproducer
ubuntu@select-lobster:~$ cd reproducer
ubuntu@select-lobster:~/reproducer$ mkdir CA
ubuntu@select-lobster:~/reproducer$ cat << EOF >> rootCA.cnf
> [ req ]
> prompt = no
> distinguished_name = req_distinguished_name
> x509_extensions = usr_cert
>
> [ req_distinguished_name ]
> C = DE
> O = Test Org
> CN = Test RSA PSS Root-CA
>
> [ usr_cert ]
> basicConstraints = critical,CA:TRUE
> keyUsage = critical,keyCertSign,cRLSign
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always
> EOF
 ubuntu@select-lobster:~/reproducer$ cat << EOF >> subCA.cnf
> [ req ]
> prompt = no
> distinguished_name = req_distinguished_name
> x509_extensions = usr_cert
>
> [ req_distinguished_name ]
> C = DE
> O = Test Org
> CN = Test RSA PSS Sub-CA
>
> [ usr_cert ]
> basicConstraints = critical,CA:TRUE,pathlen:0
> keyUsage = critical,keyCertSign,cRLSign
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always
> EOF
 ubuntu@select-lobster:~/reproducer$ cat << EOF >> user.cnf
> [ req ]
> prompt = no
> distinguished_name = req_distinguished_name
> x509_extensions = usr_cert
>
> [ req_distinguished_name ]
> C = DE
> O = Test Org
> CN = Test User
>
> [ usr_cert ]
> basicConstraints = critical,CA:FALSE,pathlen:0
> keyUsage = critical,digitalSignature,keyAgreement
> extendedKeyUsage = clientAuth,serverAuth
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always
> EOF
 ubuntu@select-lobster:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
......................+++++
............+++++
ubuntu@select-lobster:~/reproducer$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
ubuntu@select-lobster:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
........+++++
....+++++
ubuntu@select-lobster:~/reproducer$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
ubuntu@select-lobster:~/reproducer$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Signature ok
subject=C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
Getting CA Private Key
ubuntu@select-lobster:~/reproducer$ c_rehash CA
Doing CA
ubuntu@select-lobster:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
...................+++++
.........................+++++
ubuntu@select-lobster:~/reproducer$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
ubuntu@select-lobster:~/re...

Read more...

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Matthew Ruffell (mruffell) wrote :
Download full text (5.2 KiB)

Performing verification for Groovy.

I went and generated the ssl certificates and attempted to verify them with
the openssl version 1.1.1f-1ubuntu4.3 from -updates.

ubuntu@deep-mako:~$ sudo apt-cache policy openssl | grep Installed
  Installed: 1.1.1f-1ubuntu4.3
ubuntu@deep-mako:~$ mkdir reproducer
ubuntu@deep-mako:~$ cd reproducer
ubuntu@deep-mako:~/reproducer$ mkdir CA
ubuntu@deep-mako:~/reproducer$ cat << EOF >> rootCA.cnf
> [ req ]
> prompt = no
> distinguished_name = req_distinguished_name
> x509_extensions = usr_cert
>
> [ req_distinguished_name ]
> C = DE
> O = Test Org
> CN = Test RSA PSS Root-CA
>
> [ usr_cert ]
> basicConstraints = critical,CA:TRUE
> keyUsage = critical,keyCertSign,cRLSign
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always
> EOF
 ubuntu@deep-mako:~/reproducer$ cat << EOF >> subCA.cnf
> [ req ]
> prompt = no
> distinguished_name = req_distinguished_name
> x509_extensions = usr_cert
>
> [ req_distinguished_name ]
> C = DE
> O = Test Org
> CN = Test RSA PSS Sub-CA
>
> [ usr_cert ]
> basicConstraints = critical,CA:TRUE,pathlen:0
> keyUsage = critical,keyCertSign,cRLSign
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always
> EOF
 ubuntu@deep-mako:~/reproducer$ cat << EOF >> user.cnf
> [ req ]
> prompt = no
> distinguished_name = req_distinguished_name
> x509_extensions = usr_cert
>
> [ req_distinguished_name ]
> C = DE
> O = Test Org
> CN = Test User
>
> [ usr_cert ]
> basicConstraints = critical,CA:FALSE,pathlen:0
> keyUsage = critical,digitalSignature,keyAgreement
> extendedKeyUsage = clientAuth,serverAuth
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always
> EOF
 ubuntu@deep-mako:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048
....+++++
............................+++++
ubuntu@deep-mako:~/reproducer$ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
ubuntu@deep-mako:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048
..................................................+++++
.....................................+++++
ubuntu@deep-mako:~/reproducer$ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
ubuntu@deep-mako:~/reproducer$ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
Signature ok
subject=C = DE, O = Test Org, CN = Test RSA PSS Sub-CA
Getting CA Private Key
ubuntu@deep-mako:~/reproducer$ c_rehash CA
Doing CA
ubuntu@deep-mako:~/reproducer$ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048
...+++++
.............................................................+++++
ubuntu@deep-mako:~/reproducer$ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa...

Read more...

tags: added: verification-done verification-done-groovy
removed: verification-needed verification-needed-groovy
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.4

---------------
openssl (1.1.1f-1ubuntu2.4) focal; urgency=medium

  * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
    to validate, as it is common on self-signed leaf certificates.
    (LP: #1926254)
    - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch
    - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch
    - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch

 -- Matthew Ruffell <email address hidden> Wed, 28 Apr 2021 12:37:28 +1200

Changed in openssl (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.1f-1ubuntu4.4

---------------
openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium

  * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
    to validate, as it is common on self-signed leaf certificates.
    (LP: #1926254)
    - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch
    - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch
    - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch
  * Split d/p/pr12272.patch into multiple patchfiles to fix dpkg-source
    error when attempting to build a source package, due to pr12272.patch
    patching files multiple times within the same patch. (LP: #1927161)
    - d/p/lp-1927161-1-x86-Add-endbranch-to-indirect-branch-targets-fo.patch
    - d/p/lp-1927161-2-Use-swapcontext-for-Intel-CET.patch
    - d/p/lp-1927161-3-x86-Always-generate-note-gnu-property-section-f.patch
    - d/p/lp-1927161-4-x86_64-Always-generate-note-gnu-property-sectio.patch
    - d/p/lp-1927161-5-x86_64-Add-endbranch-at-function-entries-for-In.patch

 -- Matthew Ruffell <email address hidden> Wed, 05 May 2021 12:13:30 +1200

Changed in openssl (Ubuntu Groovy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.